Generally described, computing devices utilize a communication network, or a series of communication networks, to exchange data. Companies and organizations operate computer networks that interconnect a number of computing devices to support operations or provide services to third parties. The computing systems can be located in a single geographic location or located in multiple, distinct geographic locations (e.g., interconnected via private or public communication networks). Specifically, data centers or data processing centers, herein generally referred to as “data centers,” may include a number of interconnected computing systems to provide computing resources to users of the data center. The data centers may be private data centers operated on behalf of an organization or public data centers operated on behalf, or for the benefit of, the general public.
Service providers or content creators (such as businesses, artists, media distribution services, etc.) can employ a series of interconnected data centers to deliver content (such as web sites, web content, or other digital data) to users or clients. These interconnected data centers are sometimes referred to as “content delivery networks” (CDNs) or content delivery systems. Existing routing and addressing technologies can enable multiple data centers associated with a content delivery system to provide similar or identical content to client computing devices. In some instances, each data center providing a set of content may be referred to as a point-of-presence (“POP”). A content delivery system can maintain POPs over a wide area (or worldwide) to enable the system to efficiently service requests from clients in a variety of locations.
Malicious entities occasionally attempt to disrupt the operations of service providers or content creators via network-based attacks (“network attacks”). One mechanism for doing so is a “denial of service” (DoS) attack. These attacks generally attempt to make a target computing device or network resource, such as a web site, unavailable to legitimate clients. One common instance of a DoS attack involves saturating the target device or network with external communications requests, such that it cannot respond to legitimate traffic, or it responds so slowly as to be rendered effectively unavailable. Because of the number of requests required to mount such an attack, responsibility for implementing the attack is often distributed across many computing devices. These distributed attacks are therefore known as “distributed denial of service” (DDoS) attacks. Because attacked targets, such as specific web sites or domain names, are often hosted or associated with a content delivery system, that system itself may also be targeted by the attack. Further, the content delivery system often hosts content on behalf of non-targeted systems or networks, which may also be affected by the attack due to their use of the content delivery system.
Because network attacks frequently attempt to oversaturate a target network, the content and form of the attack can vary. In some instances, data transmitted as part of an attack can be formed to resemble legitimate traffic. Thus, it can be difficult for both automated and manual systems to distinguish network attacks from legitimate traffic. Often, mitigation of a network attack involves discarding data assumed to form part of an attack. Thus, falsely identifying a network attack can result in legitimate traffic being discarded, which is of course undesirable. On the other hand, failing to quickly identify a network attack can result in resources becoming overloaded and unable to service legitimate requests, which is also undesirable.